Published: Wednesday, August 11, 1999
Protecting Everything
When you put something on the web, you've got to be careful, because anyone can access
it if they just guess the correct URL. If you have sensitive material, or material that folks must
pay for, then you want to make sure that not just anybody can get to it. The inspiration for this article
comes from an ASP Messageboard
post, which reads:
I have a problem and that is that my company decided to make customers invoices available throught
the extranet. This is all fine and good except that I have to program the thing.
The situation is as follows:
- Invoices are generated with a program that leaves a bunch of pdf files in a directory ( INV/00001.PDF; INV/00002.PDF; Etc. )
- There is a table in oracle that has ( ACCT, PASS )
- There is a table in oracle that has ( ACCT, FILE, DATE )
- There is a Form with ACCT, PASS
The form submits to an asp that looks up acct in table 1 and compares PASS in form with PASS in Table. If it is ok then Look up in Table 2 all records that match ACCT.
The resulting html file is something like this :
<% Do Until RS_2.EOF %>
<a href="/INV/<%=RS_2("FILE")%>">
<%=RS_2("DATE")%>
</a>
<% RS_2.movenext
Loop
%>
|
Now what is to stop someone to looking at the url and start typing in the address bar something like :
http://svrname/inv/0099.pdf
and seeing someone else invoice?
How can i make this project viable and secure?
Well, we are going to use ASP to hide our files. Rather than linking directly to the file using the
method shown above (<A HREF="/INV/<%=RS_2("FILE")%>">), we will link directly to
an ASP file called showFile.asp. Through the querystring we will pass in the file name
(less the directory), the content type, the UserName, and the Password.
Previously, the field RS_2("FILE") probably contained the full URL to the PDF file. All
we want it to contain is the actual file name. We will bury all of the PDF files into a long, deep
directory name, to greatly minimize the chances of someone just guessing the URL of the PDF files.
(If someone were to guess the full URL of the PDF files, and typed that URL into their browser,
they would be able to view the PDF files; it's not a security flaw, just the nature of the web.)
To accommodate the changes we will need to change the looping code to:
<%
Do Until RS_2.EOF %>
<a href="/scripts/showFile.asp?File=<%=RS_2("FILE")%>&
UserName=<%=username%>&
Password=<%=password%>&
ContentType=application/pdf">
<%=RS_2("DATE")%>
</a>
<% RS_2.movenext
Loop
%>
|
(Note that the above HREF was broken into multiple lines to make it easier to read through your
browser. The entire HREF needs to be on one line...)
Now, what we need to accomplish in showFile.asp is the following: first, verify that
the user has rights to look at this file. If he or she does not, then we want to redirect them to
a page explaining that they do not have adequate permissions to view that particular PDF file.
The reason we need to verify the username/password, is to stop someone from calling showFile.asp
and guessing at PDF file names. For example, if their invoice is 00001.pdf, they might try 00002.pdf,
which might be an invoice for another client. We don't want them to see 000002.pdf if it's not their
invoice!
You may be wondering how we're going to do all of this... well, that will all be explained in the
next part of this article!
Proceed to Part 2
